DOCSIS (Data Over Cable Service Interface Specification) is an international standard that defines an interface for high-speed data transmission over cable networks. Among other things, DOCSIS specifies how cable modems are initialized and authenticated.
The initialization and authentication process according to DOCISv2 involves several steps including:    a) Downstream search during which a signal is found and an upstream channel descriptor (UCD) is obtained. The UCD contains information that the cable modem will need, such as the upstream frequency, modulation type and channel bandwidth to use in order to communicate with a cable modem termination system (CMTS).    b) Ranging during which the modem adjusts its transmit power, frequency and timing as necessary to compensate for the distance between the modem and the CMTS.    c) DHCP (Dynamic Host Configuration Protocol) during which the modem obtains additional information about the network, gets an IP address and gets the name of a configuration file.    d) ToD (Time of Day) provides a timestamp to cable modem (this step may be optional).    e) TFTP (Trivial File Transfer Protocol) during which the cable modem downloads the configuration file whose name it was given during the DHCP process.    f) Registration during which the cable modem sends a registration request to the CMTS along with a list of the modem's configuration settings. If the CMTS approves of the modem's settings, the cable modem will respond with a registration response indicating a successful registration.    g) BPI+ (Baseline Privacy Infrastructure) process during which the cable modem is authenticated. Upon successful authentication, keys for authentication and encryption of subsequent data frames are distributed to the cable modem. The expiration times of the keys are also set. The BPI+ process is used to perform cable modem authentication after registration. The BPI+ process requires a cable modem to present an X.509 certificate to authenticate itself during initialization. If a cable modem fails authentication, then the CMTS will reject service to the cable modem and prevent the cable modem from coming online.
It is specifically noted that the BPI+ process is the last step in the cable modem initialization process.
Settings in a cable modem configuration file establish whether a particular cable modem is configured to perform BPI+ and authentication. The CMTS will only enforce authentication if the cable modem notifies the CMTS in a registration request message (REG-REQ) that BPI+ is enabled for that cable modem.
A REG-REQ message is a DOCSIS MAC-layer packet that is sent to the CMTS by a cable modem after the cable modem undergoes address assignment using the dynamic host configuration protocol (DHCP) and after the modem downloads a configuration file using trivial file transfer protocol (TFTP).
The contents of a REG-REQ message includes data from the configuration file stored in the modem and the data from the configuration file specifies the particular services the cable modem is entitled to perform. This data is signed by a secret code, known only to a TFTP server and the CMTS. This data includes an indication of whether or not the cable modem must authenticate using BPI+. It is noted that the indication that a modem must use BPI+ is sent via the configuration file and it can be compromised.
The information that the CMTS uses to determine whether BPI+ authentication should happen for a particular cable modem is stored in the particular modem's configuration file. However, a thief can manipulate the cable modem configuration files and remove BPI+ requirements. If such a change is made, cable modem authentication can be bypassed even if a cable service operator has provided a configuration file to a cable modem that requires the cable modem to perform BPI+ authentication. Additionally, before BPI+ authentication, all messages between cable modem and CMTS are unprotected.